Computer security has become a paramount issue. Take for example the recent hacking into many email systems. Today, many systems are protected with encryption keys, passwords, rolling security keys, biometric detection, etc., yet hackers are still able to find openings in existing “secure” systems. It has long been accepted that a single device on a network becomes the weakest link and improper protection of that single device often makes the entire network vulnerable.
A single device becomes vulnerable through poorly crafted passwords (e.g. “password!” or “password1”), through poor account management (e.g., having an account on the device that is not password protected), by opening the wrong email, by browsing to a web site that has trap doors, etc. This single device also becomes vulnerable through lack of physical security such as forgetting the device in the seat-back pocket on a flight.
Unfortunately, security places a burden on the user of the device, having to remember passwords to access the device, using a biometric scanner each time the device is used, storing and managing keys, etc. The greater this burden, the more likely the user will find shortcuts, use simpler passwords, write down passwords, change time-outs to keep the device open longer, etc. Each shortcut severely weakens the security of the device.
Physical access security, like computer security, is likewise a concern and has been since the dawn of mankind. Visiting a major public event, arriving at the airport to board a plane or, in most cases, the simple act of entering one's place of employment demonstrate clearly the ever-increasing attention to physical security.
Personal identity security, like computer and access security, has come into intense and increasing focus due to the rapid increase in occurrences of identity theft. In 2005 very few had ever heard of income tax return identity theft and in 2015 such identity theft was a concern of many American tax payers and the Internal Revenue Service. So pervasive is the identity theft scourge that by 2016 monitoring and providing identity theft warning services became a multi-billion dollar business model, a service that notifies one of occurrence of, not protection from, identity theft.
Throughout modern history there has been and remains the need to establish the identity of a person, especially related to the use and access of a device and/or system but also as it relates to physical access security and personal identity security. There is an urgent need for the ability to establish that a person is who they claim to be. Throughout that same history, there have appeared actors who would usurp the identity of others for their own personal benefit. Such activity is often referred to as “identity theft” or “impersonation” or other euphemisms which collectively mean that one person has taken on the identity of another person more often than not for ill-gotten gains or to perform some nefarious act that may include physical harm to individuals and/or property or of complete societies, doing so while hiding behind the identity of an innocent individual.
Existing personal identifiers come in many different forms, shapes and sizes. In the physical space examples include driver's licenses, social security numbers, identification cards, birth certificates, passports and so on. In cyber space, there are user names and passwords, secret phrases, one time use integers, PINs, biometrics and more packaged as one, two or three factor authentication schemes.
Application of these various forms of personal identifiers are also many and varied but typically follow along the lines of: a person seeks access to a protected resource; the outer layer of security delivers a challenge to the person seeking access; personal identifier credentials of some nature are presented in response to the challenge; presented credentials are evaluated on two levels: are they valid and are they suitable to allow the access being sought; and upon verification the personal identifier is acceptable, the presenting person is granted access. This scenario plays out when the personal identifier is a physical thing such as for example: when a driver's license or passport is presented before boarding a plane. A similar scenario plays out in the cyber world when a user name and password are required to access online accounts or a PIN is required to enter one's place of employment. It is nearly impossible to make it through a day without being challenged to prove one's identity by presentation of some form of personal identifier.
There are failings of prior mechanisms that allow actors to usurp the personal identifier of a victim and to use that personal identifier to undertake an “impersonation attack.”
One failing of all prior mechanisms is the statically stored credential: the password, the single use token, the secret phrase, the biometric image or the driver's license, passport or birth certificate. If an object is stored as a static thing then it implicitly becomes available for discovery, hijacking, forgery and theft.
Additionally, the main failing of all current systems is a reliance on authentication of the credentials presented, not the person presenting them. Anyone presenting the good credentials of another person will be authenticated and granted access.
What is needed is an ability for a person to produce evidence derived in real-time establishing they are who they claim to be; a device that is uniquely identifiable on a worldwide basis, impossible to duplicate, known to belong to the person and having the ability to affirm from real-time calculations that the person in possession of the device is the person the device is assigned to and thus the presenter is therefore the person they claim to be.